Prune your Dependabot Alerts

Stop wasting time on unreachable vulnerabilities. Focus on the risk that really matters

False-positives are costing you money

Every Dependabot alert looks important, but most of them are unreachable. Be it from a function that isnt ever called, hardcoded safe parameters or a multitude of other reasons, some vulnerabilities can never actually be exploited.

Despite this, developers waste hours triaging and fixing these issues leading to increased costs, missed features, delayed releases, and frustrated engineers.

Vulnprune cuts through the noise by automatically dismissing false positives in javascript and typescript packages, so your security team sees what truly matters and your developers get back to building. No manual steps, we do all the work while you sit back and relax.

Features

Fire-and-forget

Install it once and walk away. Vulnprune runs in the background without dashboards, configs, or manual steps.

Save time

Vulnprune automatically dismisses unreachable vulnerabilities, freeing your team to ship features that give value to your business.

Reduce noise

Vulnprune filters out unreachable alerts so the real issues emerge clearly, so your team can prioritize what's important.

Auditable changes

Every dismissed alert includes a comment with links to the rules applied and the reasoning behind them, ensuring transparency.

How it works

We read the dependency lockfiles in your codebase, and with it create a dependency graph, marking the paths to the vulnerable component.

We compare it with pre-defined rules that we created, and prune the paths that match with the rule.

If all the paths are pruned, the alert is closed.

Frequently Asked Questions

Will it hide real vulnerabilities?

If an alert is deemed a unreachable and closed, Vulnprune will leave a comment in the alert, with links to the rules used to reach that conclusion. Furthermore, if a rule has been deemed inaccurate by us and deleted, all alerts closed by it will automatically reopen.

Does it work with private repositories?

Yes!

What languages are supported?

Currently focused on JavaScript and TypeScript. More coming soon.

Do you want a specific language to be supported? Please leave a message in our contact section, so that we can prioritize it if enough people ask for it!